Skip to content

Commit

Permalink
test: add service infos to onboarding tests
Browse files Browse the repository at this point in the history
Test actual service infos in onboarding tests to make sure
the onboarding client has the needed SELinux permissions.

Resolves: THEEDGE-3953

Signed-off-by: Miguel Martín <[email protected]>
  • Loading branch information
mmartinv committed Oct 9, 2024
1 parent b43b6c2 commit ed5fe19
Showing 1 changed file with 155 additions and 21 deletions.
176 changes: 155 additions & 21 deletions test/fmf/tests/onboarding/run-onboarding.sh
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,8 @@ DATABASES="${MANUFACTURER_DATABASE} ${OWNER_DATABASE} ${RENDEZVOUS_DATABASE}"

OV_STORE_DRIVER="${OV_STORE_DRIVER:-Directory}"

SERVICE_INFO_DIR="/var/lib/fdo/service-info/files"

DATABASE_DRIVER="None"
[ "${OV_STORE_DRIVER}" != "Postgres" ] || DATABASE_DRIVER="postgresql"
[ "${OV_STORE_DRIVER}" != "Sqlite" ] || DATABASE_DRIVER="sqlite"
Expand All @@ -41,6 +43,67 @@ generate_fdo_certificates() {
done
}

generate_serviceinfo_files() {
mkdir -p ${SERVICE_INFO_DIR}/etc/{sudoers.d,pki/ca-trust/source/anchors}
cat > "${SERVICE_INFO_DIR}/etc/hosts" <<EOF
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
EOF
cat > "${SERVICE_INFO_DIR}/etc/sudoers.d/edge" <<EOF
edge ALL=(ALL) NOPASSWD: ALL
EOF
cat > "${SERVICE_INFO_DIR}/etc/pki/ca-trust/source/anchors/redhat.crt" <<EOF
-----BEGIN CERTIFICATE-----
MIIGcjCCBFqgAwIBAgIFICIEEFwwDQYJKoZIhvcNAQEMBQAwgaMxCzAJBgNVBAYT
AlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwHUmFsZWlnaDEW
MBQGA1UECgwNUmVkIEhhdCwgSW5jLjETMBEGA1UECwwKUmVkIEhhdCBJVDEZMBcG
A1UEAwwQSW50ZXJuYWwgUm9vdCBDQTEhMB8GCSqGSIb3DQEJARYSaW5mb3NlY0By
ZWRoYXQuY29tMCAXDTIzMDQwNTE4MzM0NFoYDzIwNTIwNDAyMTgzMzQ0WjCBozEL
MAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdS
YWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRMwEQYDVQQLDApSZWQgSGF0
IElUMRkwFwYDVQQDDBBJbnRlcm5hbCBSb290IENBMSEwHwYJKoZIhvcNAQkBFhJp
bmZvc2VjQHJlZGhhdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQCxuloEVglzWXZ9FFFUOSVdpRIB2jW5YBpwgMem2fPZeWIIvrVQ6PL9XNenDOXu
BHbShD/PApxi/ujSZyOIjLsNh7WDO+0NqpkfTyB9wUYAhx3GTIGY75RSoyZy1yKb
ZDTKv+rSfui9IlstAMz6L3OQLZES9zAYK8ICiDUwTeNZ7quA6qf0Kam2LyuBc/bl
BI7WFLOGGWY135P1OUXJgnJUsMhnYMTgvZQyJ2P7eLQpiR8TOr5ZI6CYapiyG64L
nkr/rsALjSxoUo09Yai1CVO66VFJ/XgMNt3mzQtLDMPXiKUuwsBsgvo4QvLjkXYI
ii+/YQyQaypsKctG8mefKkTT1kRDKj4LNdTRRgd5tco+b4+O/4upt8mIsx1+tbdM
LNGEz3Jqd0sj8Fl4Rzus+W+enzXmMfZH86X6bU5tMvueuFd5LV+M9XzliscaEQMK
EQ7CC72ldrOK2K12Gjb7bu8dKq+aSlNuWK+Gz1NvbwYpaCBYp0JoryvHEq5jrCLP
lTkuJQ3HaaAf+4LaBm8no9xK2VbDf6l/7Htb5I5LnAAZi0/5TzH07NhHoIeMSmTE
Ea07i/i5lbhM2qbx6pfLukg24HLCKTdi4Fo6/JqPWH6/3eI55NsoWSmoDdTiLg4v
1G/rgUVr2N6F36GTYMGqiITvvd4Qm3i9XOTQvsx8RJx4JQIDAQABo4GoMIGlMB0G
A1UdDgQWBBS1+o3lCnihCZXbTSGGlWpZT0nIizAfBgNVHSMEGDAWgBS1+o3lCnih
CZXbTSGGlWpZT0nIizAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAR
BglghkgBhvhCAQEEBAMCAQYwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL29jc3Au
cmVkaGF0LmNvbS9jcmwucGVtMA0GCSqGSIb3DQEBDAUAA4ICAQCDLaGTS0g2HmMS
g0i6Z0RVDC7sSnWFgEk2ZO1WUQj5WkFVS7gWxed/mXCzeL2EV1Pd22YKHM1eU1vo
6b03cbNRXlRGGFksmQeM9h2sVjbP0hRZxqqfI+UW223N8E+qK3wSa8m6nhOfIJie
DD9s8CdL1VT6l4qq2gR8mVBW7EZ+Ux5u+AMXpN4WPEkcLer2djbfhXoPsJ4r5CcX
vh7W5rCZbo+0oBI5hrTlG4Tjhv1atqLhMmssjn8NbRrnhrbGF7w8NxFts69GkKDB
UIXr1pWZSAuRELlIxmvh5ZSX5YTbFmDuTvmNx8RPPy6OY4W1v1BUKp0HyJTi07s2
8SN+n9htHPHX9XBZctQmOSFLiqhi15LIqI54tR2tSgwH3Z5moh4sy6MuApXstsu4
qtkII2KZk3SottI8MOS6zqKrU7jPou6ZE0fznNiu23Q3Ksuuj6mBkLVw3bQe68Vm
NUTDac1oVzc8d5NMbx5kVb4Lahq+SATVFC8NK9G/Pk1AiwO8WhKffySsLeO5nMib
4BOVq0qFoAi8YCFuJOl9FlH1dPW/TnqlTQMQNhXpzGjU3HV3lr/Mk+ghNgIYcLcz
pEBsiGwKOVW4nYKIqPLn/36Ao/kfXeAdJhaAZq1SkTbeqNiwHQm3KNHzNObmjD0f
56vmq8fwQYIcazjrygWiaOnoep/SMw==
-----END CERTIFICATE-----
EOF

}


generate_ssh_key() {
SSH_KEY_TMP_DIR=$(mktemp -d)
SSH_KEY_FILE="${SSH_KEY_TMP_DIR}/ssh_key"
SSH_PUB_KEY_FILE="${SSH_KEY_FILE}.pub"
ssh-keygen -q -N '' -f "${SSH_KEY_FILE}"
cat "${SSH_PUB_KEY_FILE}"
rm -rf "${SSH_KEY_TMP_DIR}"
}

setup_postgresql() {
systemctl stop postgresql.service
rm -rf /var/lib/pgsql/data
Expand Down Expand Up @@ -153,11 +216,90 @@ setup_serviceinfo() {
tee "${CONF_DIR}/serviceinfo-api-server.yml" <<EOF
---
service_info:
initial_user: null
files: null
commands: null
diskencryption_clevis: null
additional_serviceinfo: null
initial_user:
username: edge
sshkeys:
- "${SSH_PUB_KEY}"
commands:
- command: touch
args:
- /etc/command-testfile1
- command: bash
args:
- -c
- echo command-testfile1-content1 > /etc/command-testfile1
- command: bash
args:
- -c
- echo command-testfile1-content2 >> /etc/command-testfile1
- command: mkdir
args:
- -p
- /etc/commands
- command: mv
args:
- /etc/command-testfile1
- /etc/commands/
- command: bash
args:
- -c
- echo command-testfile2-content1 > /etc/commands/command-testfile2
- command: bash
args:
- -c
- echo command-testfile2-content2 >> /etc/commands/command-testfile2
- command: rm
args:
- -rf
- /etc/commands
- command: find
args:
- /etc
- /var
- -type
- f
- -exec
- touch {}
- ;
- command: mkdir
args:
- -p
- /etc/sudoers.d /var/fdo /var/lib/fdo /var/fdo-test /var/lib/fdo-test
- command: /usr/bin/sed
args:
- -i
- -e
- s/^#PasswordAuthentication yes/PasswordAuthentication no/
- /etc/ssh/sshd_config
may_fail: false
return_stdout: true
return_stderr: true
- command: systemctl
args:
- restart
- sshd
return_stdout: true
return_stderr: true
- command: systemctl
args:
- daemon-reload
return_stdout: true
return_stderr: true
files:
- path: /etc/hosts
permissions: 644
source_path: ${SERVICE_INFO_DIR}/etc/hosts
- path: /etc/sudoers.d/edge
source_path: ${SERVICE_INFO_DIR}/etc/sudoers.d/edge
- path: /etc/pki/ca-trust/source/anchors/redhat.crt
source_path: ${SERVICE_INFO_DIR}/etc/pki/ca-trust/source/anchors/redhat.crt
# diskencryption_clevis:
# - disk_label: /dev/vda
# binding:
# pin: test
# config: "{}"
# reencrypt: true
# after_onboarding_reboot: true
bind: 0.0.0.0:8083
service_info_auth_token: 2IOtlXsSqfcGjnhBLZjPiHIteskzZEW3lncRzpEmgqI=
admin_auth_token: Va40bSkLcxwnfml1pmIuaWaOZG96mSMB6fu0xuzcueg=
Expand Down Expand Up @@ -185,33 +327,25 @@ perform_no_plain_di() {
}

onboard() {
/usr/libexec/fdo/fdo-client-linuxapp
LOG_LEVEL=trace /usr/libexec/fdo/fdo-client-linuxapp
}

[ "${OV_STORE_DRIVER}" != "Sqlite" ] || setup_sqlite
[ "${OV_STORE_DRIVER}" != "Postgres" ] || setup_postgresql
SSH_PUB_KEY=$(generate_ssh_key)
generate_fdo_certificates
setup_manufacturing
setup_owner
setup_rendezvous
generate_serviceinfo_files
setup_serviceinfo
systemctl restart fdo-{manufacturing,owner-onboarding,rendezvous,serviceinfo-api}-server.service
# Wait for servers to be up and running
until [ "$(curl -X POST http://${PRIMARY_IP}:8080/ping)" == "pong" ]; do
sleep 1;
done;

until [ "$(curl -X POST http://${PRIMARY_IP}:8081/ping)" == "pong" ]; do
sleep 1;
done;

until [ "$(curl -X POST http://${PRIMARY_IP}:8082/ping)" == "pong" ]; do
sleep 1;
done;

until [ "$(curl -X POST http://${PRIMARY_IP}:8083/ping)" == "pong" ]; do
sleep 1;
done;
for PORT in 808{0..3}; do
until [ "$(curl -s -X POST http://${PRIMARY_IP}:${PORT}/ping)" == "pong" ]; do

Check warning

Code scanning / devskim

An HTTP-based URL without TLS was detected. Warning test

Insecure URL
sleep 1;
done;
done
perform_no_plain_di
[ "${OV_STORE_DRIVER}" = "Directory" ] || export_import_vouchers
sleep 60
Expand Down

0 comments on commit ed5fe19

Please sign in to comment.